Eyou · Eyou Mail System · CVE-2014-1203
Name of the Vulnerable Software and Affected Versions:
Eyou Mail System versions prior to 3.6
Description:
The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the `domain` parameter to the "/admin/domain/ip login set/d ip login get.php" API endpoint. This is due to a flaw in the `get login ip config file` function.
Recommendations:
For versions prior to 3.6, consider disabling the `get login ip config file` function until a patch is available. Restrict access to the "/admin/domain/ip login set/d ip login get.php" API endpoint to minimize the risk of exploitation. Avoid using the `domain` parameter in the affected API endpoint until the issue is resolved.